CBN BVN Consent Form (Nigeria)

A CBN BVN Consent Form in Nigeria records a party's informed permission for a specified act, authorising it to proceed.

The BVN system was established by the CBN under Circular BSD/DIR/GEN/LAB/14/012 of 2014 and is administered by the Nigeria Inter-Bank Settlement System (NIBSS). Each BVN is an 11-digit unique identifier linked to an individual's biometric data (fingerprints and facial photograph) registered at the point of BVN enrolment at any CBN-licensed bank. The BVN consent form gives the financial institution authorisation to query the NIBSS database, match the customer's provided BVN against NIBSS records, and use the verified data for Know Your Customer (KYC) and Anti-Money Laundering/Counter-Terrorism Financing (AML/CFT) compliance.

The NDPA 2023 — which established the Nigeria Data Protection Commission (NDPC) and superseded the Nigeria Data Protection Regulation (NDPR) 2019 — classifies biometric data (including BVN data) as sensitive personal data requiring explicit consent for processing. The BVN consent form is the mechanism by which financial institutions obtain this legally required consent.

For digital financial services including mobile banking, digital lending, and payment processing, the BVN consent is typically captured electronically through the institution's mobile app or online portal, but a written consent form remains essential for face-to-face onboarding, account opening for less tech-savvy customers, and for documentary compliance with CBN AML/CFT examination requirements.

The Nigeria Data Protection Act 2023 (NDPA) — administered by the Nigeria Data Protection Commission (NDPC) — superseded the Nigeria Data Protection Regulation (NDPR) 2019 and introduced stricter requirements for processing biometric data, including BVN data. Under Section 30 of the NDPA 2023, financial institutions processing sensitive personal data (which includes biometric identifiers) must conduct a Data Protection Impact Assessment (DPIA) and notify the NDPC. The Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 criminalises identity theft and unauthorised access to biometric databases, with the Economic and Financial Crimes Commission (EFCC) having prosecution powers. The Federal High Court has exclusive jurisdiction over CBN regulatory matters and NDPA enforcement actions, while the Supreme Court of Nigeria is the apex court for all civil disputes.

The CBN Consumer Protection Framework 2016 requires financial institutions to handle customer data responsibly and to provide clear disclosures about data use practices. Under the CBN's AML/CFT Regulations 2013 (as amended), Authorised Financial Institutions must maintain Customer Due Diligence (CDD) records including BVN verification records for a minimum of 5 years after the end of the business relationship. The Nigerian Financial Intelligence Unit (NFIU) — Nigeria's financial intelligence body — may access BVN-linked transaction data as part of Suspicious Transaction Report (STR) investigations under the Money Laundering (Prevention and Prohibition) Act 2022. The Asset Management Corporation of Nigeria (AMCON) and the FIRS may also access BVN data through lawful regulatory channels in connection with debt recovery and tax enforcement proceedings. The National Identity Management Commission (NIMC) issues the National Identification Number (NIN), which is increasingly linked to BVN data in the CBN's customer identification framework, and the BVN-NIN linkage requirement was mandated by CBN Circular BSD/DIR/GEN/LAB/14/023 of 2021. Forms-legal.com provides this template as a starting point for Nigeria-compliant BVN consent documentation.

A CBN BVN Consent Form in Nigeria is required in the following situations.

When a new customer opens a bank account at a CBN-licensed commercial bank, microfinance bank, or primary mortgage institution. The KYC process requires BVN collection, and the NDPA 2023 requires explicit written consent for the collection and processing of biometric data.

When a fintech company, digital lender, or payment service provider onboards a new customer and needs to verify the customer's identity against the NIBSS BVN database as part of its AML/CFT compliance obligations under the CBN's AML/CFT Regulations 2013.

When a credit bureau (such as CreditRegistry, CRC Credit Bureau, or FirstCentral Credit Bureau, all licensed by the CBN) seeks consent from a bank customer to access and report on the customer's credit history, which is linked to the BVN.

When a customer requests a linkage of their BVN to a newly opened account at a financial institution where the BVN was previously enrolled at a different institution, requiring cross-institution identity verification through NIBSS.

When a corporate customer designates an authorised signatory on a business account and the signatory's BVN must be verified as part of the bank's customer due diligence (CDD) process under the CBN's KYC Regulations.

Parties in Nigeria should prepare a CBN BVN Consent Form (Nigeria) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

A complete Nigeria CBN BVN Consent Form should contain the following elements.

Customer identification: Full legal name of the account holder or customer, date of birth, residential address, phone number registered with the BVN, and email address.

BVN: The 11-digit Bank Verification Number of the customer. The form should note that the BVN will be verified against the NIBSS database and that the customer warrants the BVN provided is their own and is valid.

Institution details: Name, CBN licence number, and registered address of the financial institution requesting consent.

Purpose of BVN access: A clear statement of the specific purposes for which the BVN will be accessed and used — for example: account opening and KYC verification, credit assessment, fraud prevention, AML/CFT screening against the CBN BVN Watchlist, and regulatory reporting to the CBN.

Data sharing consent: Where the institution intends to share BVN-linked data with third parties (such as credit bureaus, payment processors, or group companies), a specific consent to that sharing, identifying the categories of third parties and the purpose of sharing.

Data retention: The period for which the BVN data will be retained, consistent with the institution's data retention policy and the NDPA 2023 requirements.

Withdrawal of consent: The customer's right to withdraw consent under the NDPA 2023, and the process for doing so (noting that withdrawal may affect the customer's ability to maintain regulated financial products).

Customer signature: Signature, date, and printed name. For digital onboarding, the electronic acceptance mechanism and its timestamp, compliant with the CBN's Electronic Banking Guidelines and the Evidence Act 2011 (Section 84) on electronic records.

Data Protection Impact Assessment (DPIA) reference: For institutions processing BVN data of more than 2,000 customers, the DPIA conducted under Section 30 of the Nigeria Data Protection Act 2023 (NDPA) should be referenced, confirming that the Nigeria Data Protection Commission (NDPC) has been notified as required.

AML/CFT screening disclosure: Where the institution will use the BVN to screen against the CBN BVN Watchlist under CBN Circular BSD/DIR/GEN/LAB/07/023 or against sanctions lists maintained by the Office of the National Security Adviser (ONSA), this must be clearly disclosed in the consent form.

Complaint and withdrawal mechanism: The customer's right to withdraw consent under Section 25 of the NDPA 2023, the right to lodge a complaint with the NDPC at ndpc.gov.ng, and the right to complain to the CBN Consumer Protection Department. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

BVN-NIN linkage: Where required by CBN Circular BSD/DIR/GEN/LAB/14/023, the consent form should also cover the linking of the customer's National Identification Number (NIN) — issued by the National Identity Management Commission (NIMC) — to the BVN, confirming the customer's agreement to the cross-referencing of both identity systems.

Record retention: The institution must retain the signed BVN consent form for at least 5 years after the end of the business relationship under the CBN's AML/CFT Regulations 2013, and for at least 7 years for anti-money laundering compliance purposes under the Money Laundering (Prevention and Prohibition) Act 2022.

Audit trail: The institution should maintain an audit trail of when BVN data was accessed, by which staff member, and for what purpose, as part of its data governance obligations under the NDPA 2023 and the CBN Information Technology Standards Framework. The Nigerian Financial Intelligence Unit (NFIU) may request access to such records during a Suspicious Transaction Report (STR) investigation. The Federal High Court has jurisdiction over NDPA 2023 enforcement actions brought by the NDPC. Forms-legal.com provides this template as a starting point for Nigeria-compliant BVN consent documentation. The Supreme Court of Nigeria is the apex court for financial services disputes.